node: HTTP vhost validation rejects mixed-case Host headers

[afurm]

System information

CL client & version: N/A
OS & Version: macOS 26.4 (Darwin 25.4.0 arm64)
Commit hash : 58557cb4635d4e6f3e49fcdc82a6469554e929a6

Expected behaviour

HTTP virtual host validation should treat hostnames case-insensitively.

If test is present in the configured vhost allowlist, requests with Host: test,
Host: TEST, or Host: TeSt:1234 should all be accepted.

Actual behaviour

The configured vhost allowlist is normalized to lowercase, but the incoming HTTP
Host header is compared without lowercasing it first.

As a result, a request with a mixed-case hostname such as Host: TeSt:1234 is
rejected with:

HTTP/1.1 403 Forbidden
invalid host specified

This is a user-facing RPC issue because hostname matching is expected to be
case-insensitive.

Steps to reproduce the behaviour

1. Start geth with HTTP RPC enabled and a lowercase vhost allowlist entry, for example:

geth --http --http.addr 127.0.0.1 --http.port 8545 --http.api web3 --http.vhosts test

2. Send a JSON-RPC request with a mixed-case Host header:

curl -i \
  -H 'Host: TeSt:1234' \
  -H 'Content-Type: application/json' \
  --data '{"jsonrpc":"2.0","id":1,"method":"web3_clientVersion","params":[]}' \
  http://127.0.0.1:8545

3. Observe that the request is rejected with 403 Forbidden.

4. Repeat the same request with Host: test and observe that it succeeds.

Backtrace

No panic/backtrace. The issue is a clean but incorrect HTTP 403 response from
the vhost validation path.